[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Thu Oct 20 05:01:01 UTC 2022 

The branch, master has been updated
       via  50cbdecf2e2 tests/krb5: Add test requesting a TGT expiring post-2038
       via  67811e121fb tests/krb5: Add test requesting a service ticket expiring post-2038
      from  eb2f3526032 s4:ldap_server: let ldapsrv_call_writev_start use conn_idle_time to limit the time

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Oct 20 12:36:44 2022 +1300

    tests/krb5: Add test requesting a TGT expiring post-2038
    
    This demonstrates the behaviour of Windows 11 22H2 over Kerberos,
    which changed to use a year 9999 date for a forever timetime in
    tickets.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Thu Oct 20 05:00:23 UTC 2022 on sn-devel-184

commit 67811e121fbef08337675d473390160793544719
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Oct 4 12:25:08 2022 +1300

    tests/krb5: Add test requesting a service ticket expiring post-2038
    
    Windows 11 22H2 performs such requests, with year 9999.
    The test fails with KDC_ERR_BAD_INTEGRITY on older
    Heimdal versions, which are unable to verify a checksum
    over the modified request body (due to a re-encoding failure).
    
    REF: https://github.com/heimdal/heimdal/issues/1011
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
 python/samba/tests/krb5/as_req_tests.py  | 13 +++++++++++--
 python/samba/tests/krb5/kdc_tgs_tests.py | 14 ++++++++++++++
 2 files changed, 25 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py
index 6a573947067..6b3b5ad4a22 100755
--- a/python/samba/tests/krb5/as_req_tests.py
+++ b/python/samba/tests/krb5/as_req_tests.py
@@ -47,7 +47,7 @@ class AsReqBaseTest(KDCBaseTest):
                                   expected_cname=None, sname=None,
                                   name_type=NT_PRINCIPAL, etypes=None,
                                   expected_error=None, expect_edata=None,
-                                  kdc_options=None):
+                                  kdc_options=None, till=None):
         user_name = client_creds.get_username()
         if client_account is None:
             client_account = user_name
@@ -71,7 +71,8 @@ class AsReqBaseTest(KDCBaseTest):
         expected_sname = sname
         expected_salt = client_creds.get_salt()
 
-        till = self.get_KerberosTime(offset=36000)
+        if till is None:
+            till = self.get_KerberosTime(offset=36000)
 
         if etypes is None:
             etypes = client_as_etypes
@@ -516,6 +517,14 @@ class AsReqKerberosTests(AsReqBaseTest):
             sname=wrong_krbtgt_princ,
             expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN)
 
+    # Test that we can make a request for a ticket expiring post-2038.
+    def test_future_till(self):
+        client_creds = self.get_client_creds()
+
+        self._run_as_req_enc_timestamp(
+            client_creds,
+            till='99990913024805Z')
+
 
 if __name__ == "__main__":
     global_asn1_print = False
diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py
index f57df85bfcd..e64135249db 100755
--- a/python/samba/tests/krb5/kdc_tgs_tests.py
+++ b/python/samba/tests/krb5/kdc_tgs_tests.py
@@ -2334,6 +2334,18 @@ class KdcTgsTests(KDCBaseTest):
         self._run_tgs(tgt, expected_error=(KDC_ERR_TGT_REVOKED,
                                            KDC_ERR_C_PRINCIPAL_UNKNOWN))
 
+    # Test making a TGS request for a ticket expiring post-2038.
+    def test_tgs_req_future_till(self):
+        creds = self._get_creds()
+        tgt = self._get_tgt(creds)
+
+        target_creds = self.get_service_creds()
+        self._tgs_req(
+            tgt=tgt,
+            expected_error=0,
+            target_creds=target_creds,
+            till='99990913024805Z')
+
     def _modify_renewable(self, enc_part):
         # Set the renewable flag.
         enc_part = self.modify_ticket_flag(enc_part, 'renewable', value=True)
@@ -2704,6 +2716,7 @@ class KdcTgsTests(KDCBaseTest):
                  sname=None,
                  srealm=None,
                  use_fast=False,
+                 till=None,
                  expect_pac=True,
                  expect_pac_attrs=None,
                  expect_pac_attrs_pac_request=None,
@@ -2813,6 +2826,7 @@ class KdcTgsTests(KDCBaseTest):
                                          cname=None,
                                          realm=srealm,
                                          sname=sname,
+                                         till_time=till,
                                          etypes=etypes,
                                          additional_tickets=additional_tickets)
         if expected_error:


-- 
Samba Shared Repository

More information about the samba-cvs mailing list